Iptables Allow MYSQL server incoming request on port 3306
MySQL database is a popular for web applications and acts as the database component of the LAMP, MAMP, and WAMP platforms. Its popularity as a web application is closely tied to the popularity of PHP, which is often combined with MySQL. MySQL is open source database server and by default it listen on TCP port 3306. In this tutorial you will learn how to open TCP port # 3306 using iptables command line tool on Linux operating system.
Task: Open port 3306
In most cases following simple rule opens TCP port 3306:
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
The following iptable rules allows incoming client request (open port 3306) for server IP address 202.54.1.20. Add rules to your iptables shell script:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
However in real life you do not wish give access to everyone. For example in a web hosting company, you need to gives access to MySQL database server from web server only. Following example allows MySQL database server access (202.54.1.20) from Apache web server (202.54.1.50) only:
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Please note if you follow above setup, then you need tell all your hosting customer to use 202.54.1.50 as MySQL host in PHP/Perl code. A better approach is to create following entry in /etc/hosts file or use fully qualified domain name (create dns entry) mysql.hostingservicecompany.com which points to 202.54.1.50 ip:
202.54.1.50 mysql
In shot MySQL database connection code from PHP hosted on our separate webserver would look like as follows:
// ** MySQL settings ** // define('DB_NAME', 'YOUR-DATABASE-NAME'); // The name of the database define('DB_USER', 'YOUR-USER-NAME'); // Your MySQL username define('DB_PASSWORD', 'YOUR-PASSWORD''); // ...and password define('DB_HOST', 'mysql'); // mysql i.e. 202.54.1.50 // ** rest of PHP code ** //
Task: Allow outgoing MySQL request on TCP port 3306
Even you can allow outgoing MySql client request (made via mysql command line client or perl/php script), from firewall host 202.54.1.20 as follows:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 3306 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
A note about Ubuntu Linux users
The Linux kernel in Ubuntu provides a packet filtering system using netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. But, it comes with easy to use ufw (Uncomplicated Firewall) tool. To open port 3306, enter:
sudo ufw allow 3306 ## only allow subnet 192.168.1.0/24 to connect to our mysql server ## sudo ufw allow from 192.168.1.0/24 to any port 3306
For more information read man page of iptables command:
$ man iptables